If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

Nobody can install windows updates

27th May 2006, 09:24

Like the Title says nobody can install winodws updates. Thats not entirely true. I can if I log in with my user id but I'm domain admin but thats the only user id that can. I think this is a group policy issue but I'm not sure because I have not found it yet. I dont even use group policy that much in our domain. I have checked the default policies and see nothing that would do this. If I wanted to could I delete/remove all policies in effect and start fresh with new ones and see if that fixes the problems. If thats an option whats the best way of doing this?

Comment

Check your event logs and more importantly, check the file %systemroot%\WindowsUpdate.log. This log file contains verbose information on the Windows Update process whether you're using the Windows Update website, WSUS, or SUS. The log file should point you in the right direction as far as what is failing and why.

Note that for Windows Update to work properly, the following services need to be configured as shown:
Automatic Updates = Automatic Startup
Background Intelligent Transfer Service (BITS) = Manual Startup

I don't suspect your services are the problem since Administrators can install updates. If either of the above services were disabled, Administrators would not be able to install updates.

Another suggestion: Enable system auditing for all failure events, as well as file system auditing (ie on C:\ ) for all failure events. After users fail to install updates, check the Security Event Log for failure events.

Comment

How many PCs do you have in your domain? WSUS may be a good way to go.

There is about 30 - 35 pc's in the Domain all running XP. WUS is what I was thinking of doing as soon as I can figure out whats stopping the installation of the updates. I forgot to mention earlier that not only am I the domain admin the only one who can get a successfull install but you cant even do it if your logged in a local admin on the box. It works fine if I take the box out of the domain but once its in Im screwed again.

Cheers,
Chris

Comment

Check your event logs and more importantly, check the file %systemroot%\WindowsUpdate.log. This log file contains verbose information on the Windows Update process whether you're using the Windows Update website, WSUS, or SUS. The log file should point you in the right direction as far as what is failing and why.

Note that for Windows Update to work properly, the following services need to be configured as shown:
Automatic Updates = Automatic Startup
Background Intelligent Transfer Service (BITS) = Manual Startup

I don't suspect your services are the problem since Administrators can install updates. If either of the above services were disabled, Administrators would not be able to install updates.

Another suggestion: Enable system auditing for all failure events, as well as file system auditing (ie on C:\ ) for all failure events. After users fail to install updates, check the Security Event Log for failure events.

Jas

Are you saying to log into all the boxes and check their event logs?
I forgot to mention earlier that not only am I the domain admin the only one who can get a successfull install but you cant even do it if your logged in a local admin on the box. It works fine if I take the box out of the domain but once its in Im screwed again.

Each machine will have its own log file. But.... start with one machine and work the problem out with that one.

There's an extremely high probability that whatever is wrong with one machine is the same problem that is impacting all machines, assuming your machines are configured consistently. Apply the fix for the first machine to the remaining machines and chances are you've licked it. Use GPOs where possible to automate things.

Comment

Assuming you don't have an Update Error, look in C:\windows\windowsupdate.log for any errors (as well as the Event Viewer) on one machine as Jason suggests, you could also try changing the users permissions in the Windows Update key in the registry to Full Control FOR THAT KEY ONLY. User should then be able to manually update through IE.